WHAT IS CLAIMED IS: 

1 . An operating system identification system comprising: 

an identification module configured to execute a plurality of operating system 
identification tests, each operating system identification test configured to make an 
identification of an operating system being executed by a network node; 

a plurality of identification rules configured to define a procedure by which 
the identification module makes an overall identification of the operating system, 
wherein the overall identification is based at least in part on at least one of the 
identifications made by the plurality of operating system identification tests; and 

a conflict resolution module configured to detect at least one of a plurality of 
cases defined by a plurality of conflict resolution definitions in which at least some of 
the plurality of operating system identification tests disagree in their identification of 
the operating system, and configured to, upon detecting such a case, to make an 
identification of the operating system and to cause the identification module to 
modify the overall identification based at least on the identification made by the 
conflict resolution module. 

2. The operating system identification system of Claim 1, wherein the plurality 
of operating system identification tests includes a Transmission Control Protocol 
identification test. 

3. The operating system identification system of Claim 2, wherein the plurality 
of operating system identification tests further includes an Internet Control Message Protocol 
identification test. 

4. The operating system identification system of Claim 3, wherein the plurality 
of operating system identification tests further includes a banner matching test. 

5. The operating system identification system of Claim 4, wherein the plurality 
of operating system identification tests further includes an open port signature test. 

6. The operating system identification system of Claim 5, wherein the plurality 
of operating system identification tests further includes a NULL session enumeration test. 
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7. The operating system identification system of Claim 1, wherein the plurality 
of operating system identification tests includes an Internet Control Message Protocol 
identification test. 

8. The operating system identification system of Claim 1, wherein the plurality 
of operating system identification tests includes a banner matching test. 

9. The operating system identification system of Claim 1, wherein the plurality 
of operating system identification tests includes an open port signature test. 

10. The operating system identification system of Claim 1, wherein the plurality 
of operating system identification tests includes a NULL session enumeration test. 

1 1 . The operating system identification system of Claim 4, further comprising a 
plurality of identification fingerprints, each identification fingerprint configured to associate 
an operating system with responses expected to be generated by the associated operating 
system in response to execution of one of the identification tests, wherein the identification 
made by each identification test is based, at least in part, on comparisons between the 
identification fingerprints and actual responses generated by a tested operating system in 
response to execution of one of the identification tests. 

12. The operating system identification system of Claim 1 1, further comprising a 
logic engine, wherein the logic engine performs the comparisons between the identification 
fingerprints and actual responses. 

13. The operating system identification system of Claim 12, wherein at least one 
of the comparsons performed by the logic engine is a fuzzy logic comparison. 

14. The operating system identification system of Claim 4, wherein each 
identification of the operating system made by one of the identification tests is associated 
with a confidence level indicating a degree to which the identification is deemed to be 
accurate, and wherein the overall identification is further based on the confidence level 
associated with the at least one identification relied upon to make the overall identification. 

15. The operating system identification system of Claim 14, wherein each 
associated confidence level represents a probability that the identification is accurate. 
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16. An operating system identification system comprising: 

an identification module configured to execute a plurality of operating system 
identification tests including at least a Transmission Control Protocol identification 
test, an Internet Control Message Protocol identification test, and a banner matching 
test, each operating system identification test configured to make an identification of 
an operating system being executed by a network node; and 

a plurality of identification rules configured to define a procedure by which 
the identification module makes an overall identification of the operating system, 
wherein the overall identification is based at least on at least one of the identifications 
made by the plurality of operating system identification tests. 

17. The operating system identification system of Claim 16, wherein the plurality 
of operating system identification tests further includes an open port signature test. 

18. The operating system identification system of Claim 17, wherein the plurality 
of operating system identification tests further includes a NULL session enumeration test. 

19. The operating system identification system of Claim 16, further comprising a 
plurality of identification fingerprints, each identification fingerprint configured to associate 
an operating system with responses expected to be generated by the associated operating 
system in response to execution of one of the identification tests, wherein the identification 
made by each identification test is based, at least in part, on comparisons between the 
identification fingerprints and actual responses generated by a tested operating system in 
response to execution of one of the identification tests. 

20. The operating system identification system of Claim 19, further comprising a 
logic engine, wherein the logic engine performs the comparisons between the identification 
fingerprints and the actual responses. 

21. The operating system identification system of Claim 20, wherein at least one 
of the comparsons performed by the logic engine is a fuzzy logic comparison. 
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22. The operating system identification system of Claim 16, wherein each 
identification of the operating system made by one of the identification tests is associated 
with a confidence level indicating a degree to which the identification is deemed accurate, 
and wherein the overall identification is further based on the confidence level associated with 
the at least one identification relied upon to make the overall identification. 

23. The operating system identification system of Claim 22, wherein each 
associated confidence level represents a probability that the identification is accurate. 
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24. A method of identifying an operating system executed by a network node, 
comprising: 

transmitting a first plurality of Transmission Control Protocol packets to a 
network node on a computer network, receiving in response a second plurality of 
Transmission Control Protocol packets, and generating, based on characteristics of the 
second plurality of Transmission Control Protocol packets, a first identification of 
which operating system is executed by the network node and a first confidence level 
indicating a degree to which the first identification is deemed accurate; 

transmitting at least a first plurality of Internet Control Message Protocol 
packets to the network node, receiving in response at least a second plurality of 
Internet Control Message Protocol packets, and generating, based at least on 
characteristics of the second plurality of Internet Control Message Protocol packets, a 
second identification of which operating system is executed by the network node and 
a second confidence level indicating a degree to which the second identification is 
deemed accurate; 

connecting to at least one open port on the network node, transmitting to the at 
least one open port data configured to cause the at least one open port to return at least 
one banner, and generating, based on the at least one banner, a third identification of 
which operating system is executed by the network node and a third confidence level 
indicating a degree to which the third identification is deemed accurate; and 

generating an overall identification, based on at least the first identification, 
the first confidence level, the second identification, the second confidence level, the 
third identification, and the third confidence level, of the operating system executed 
by the network node. 

25. The method of Claim 24, wherein the network node is one of a computer, a 
router, and a printer. 
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26. The method of Claim 24, wherein transmitting at least a first plurality of 
Internet Control Message Protocol packets further includes transmitting at least a first User 
Datagram Protocol packet to the network node and receiving in response at least a second 
User Datagram Protocol packet, and wherein the generated second identification and second 
confidence level are based, in addition to the second plurality of Internet Control Message 
Protocol packets, on at least the second User Datagram Protocol packet. 

27. The method of Claim 24, further comprising generating a list of open ports on 
the network node and generating, based on the list of open ports, a fourth identification of 
which operating system is executed by the network node and a fourth confidence level 
indicating a degree to which the fourth determination is deemed accurate, wherein generating 
the overall identification of the operating system is further based on the fourth identification 
and the fourth confidence level. 

28. The method of Claim 27, further comprising determining whether NULL 
session access is available on at least one port configured to run at least one of a Server 
Message Block service and a NETBIOS service, and if such NULL session access is 
available, using such NULL session access to determine at least a major version and a minor 
version of the operating system executed by the network node, and generating, based on the 
major version and the minor version, a fifth identification of which operating system is 
executed by the network node and a fifth confidence level indicating a degree to which the 
fifth identification is deemed accurate, wherein generating the overall identification of the 
operating system is further based on the fifth identification and the fifth confidence level. 

29. The method of Claim 27, wherein generating overall identification of an 
operating system includes selecting as the overall identified operating system the operating 
system identified by one of the first identification, the second identification, the third 
identification, and the fourth identification. 

30. The method of Claim 27, wherein generating a list of open ports comprises 
retrieving a previously constructed list of open ports. 

3 1 . The method of Claim 27, wherein the first plurality of Transmission Control 
Protocol packets are compliant with a specification of Transmission Control Protocol packets 
defined by DARPA Request for Comments 793. 
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32. A method of identifying an operating system executed by a network node, 
comprising: 

executing a plurality of tests for identifying which operating system is 
executed by a network node, such that each test returns an identification of an 
operating system executed by the network node; 

assessing, based at least on one characteristic of each identification of the 
operating system returned by the plurality of tests, which of the tests to select for 
determining an overall identification of the operating system; and 

generating an overall identification of the operating system executed by the 
network node as the operating system that is identified by the detected test. 

33. The method of Claim 32, further comprising resolving conflicts among 
identifications made by the plurality of tests, wherein the resolving conflicts is based at least 
in part on comparing aggregated results from at least two of the plurality of tests with a 
plurality of conflict resolution definitions. 

34. The method of Claim 32, wherein each of the tests returns an identification of 
an operating system that is not influenced by the identification returned by any of the other 
tests. 

35. The method of Claim 32, wherein the plurality of tests includes at least a first 
test in which the returned identification of an operating system is generated based on at least 
connecting to at least one open port on the network node and transmitting to the open port 
data configured to cause the open port to return at least one banner. 

36. The method of Claim 35, wherein the plurality of tests further includes at least 
a second test in which the returned identification of an operating system is generated based 
on at least generating a list of open ports on the network node. 

37. The method of Claim 36, wherein at least one characteristic of each operating 
system identification on which the assessing of a test to rely upon is based is a confidence 
level that each operating system identification is correct. 

38. The method of Claim 37, wherein at least one confidence level concerning 
whether an operating system identification is correct is determined using a fitness calculation. 
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39. A method of identifying an operating system executed by a network node, 
comprising: 

executing a plurality of tests for identifying which operating system is 
executed by a network node, each test producing actual test results indicative of at 
least an identification of an operating system executed by the network node; 

determining that at least a plurality of the tests have actual test results that 
disagree about which operating system is executed by a network node; 

deriving, from the plurality of actual test results, a group of aggregate actual 
test results that includes at least a portion of at least two of the plurality of actual test 
results; 

comparing the group of aggregate actual test results with a plurality of conflict 
resolution definitions and finding a closest match between the group of aggregate 
actual test results and the conflict resolution definitions, wherein each conflict 
resolution definition is associated with an operating system that is deemed to be an 
operating system being executed by a network node; and 

making an overall identification of the operating system executed by the 
network node, wherein the overall identified operating system is deemed to be the 
operating system associated with the closest matched conflict resolution definition. 

40. The method of Claim 39, wherein the actual test results are further indicative 
of a confidence level indicating a degree to which the identification of an operating system 
executed by the network node is accurate. 

41. The method of Claim 39, wherein the plurality of tests includes a first test 
comprising transmitting a first plurality of Transmission Control Protocol packets to a 
network node on a computer network, receiving in response a second plurality of 
Transmission Control Protocol packets, and generating, based on characteristics of the second 
plurality of Transmission Control Protocol packets, a first identification of which operating 
system is executed by the network node. 
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42. The method of Claim 41, wherein the plurality of tests further includes a 
second test comprising transmitting at least a first plurality of Internet Control Message 
Protocol packets to the network node, receiving in response at least a second plurality of 
Internet Control Message Protocol packets, and generating, based at least on characteristics of 
the second plurality of Internet Control Message Protocol packets, a second determination of 
which operating system is executed by the network node. 

43. The method of Claim 42, wherein the plurality of tests further includes a third 
test comprising connecting to at least one open port on the network node, transmitting to the 
open port data configured to cause the open port to return at least one banner, and generating, 
based on the at least one banner, a third determination of which operating system is executed 
by the network node. 

44. The method of Claim 43, wherein the plurality of tests further includes a 
fourth test comprising generating a list of open ports on the network node and generating, 
based on the list of open ports, a fourth determination of which operating system is executed 
by the network node. 

45. The method of Claim 44, wherein the plurality of tests further includes a fifth 
test comprising determining whether NULL session access is available on at least one port 
configured to run at least one of a Server Message Block service and a NETBIOS service, 
and if such NULL session access is available, using such NULL session access to determine 
at least a major version and a minor version of the operating system executed by the network 
node, and generating, based on the major version and the minor version, a fifth determination 
of which operating system is executed by the network node. 
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